Opaque Attack on Three-Party Quantum Secret Sharing Based on Entanglement 
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Security of the three-party quantum secret sharing (QSS) schemes based on entanglement and a 
collective eavesdropping check is analyzed in the case of considerable quantum channel losses. An 
opaque attack scheme is presented for the dishonest agent to eavesdrop the message obtained by the 
other agent freely, which reveals that these QSS schemes are insecure for transmission efficiencies 
lower than 50%, especially when they are used to share an unknown quantum state. Finally, we 
present a general way to improve the security of QSS schemes for sharing not only a private key but 
also an unknown quantum state. 
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In a secret sharing a sender, say Alice, has two 
agents. Bob and Charlie who are at remote places. Alice 
hopes that the agents can carry out her instruction (the 
message Ma), but she suspects that one of them (not 
more than one) may be dishonest and the dishonest one 
will do harm to her belongings if he can deal with it 
independently. Moreover, Alice does not know who the 
dishonest one is. For the security of the secret message 
Ma, Alice splits it into two pieces, Mb and Mc, and 
then sends them to Bob and Charlie, respectively. The 
two agents can read out the message Ma = Mb © Mq if 
and only if they cooperate, otherwise none can obtain a 
useful information. Quantum secret sharing (QSS) is the 
generalization of classical secret sharing into quantum 
scenario and has progressed quickly in recent years. It 
provides a secure way for sharing not only a classical 
information [3, i, i,]! @, 0, 11 llEpJIll but also a 
quantum information [3. Isl. [l3l [l4l. [ig| . In the latter, 
the sender Alice will send an unknown quantum state to 
her agents, and one of them can recover it with the help 
of the other [H, [H, [MJiIL Now, QSS has also been 



studied in experiment 



[18, 19]. In general, QSS is 



far more complex than quantum key distribution (QKD) 
[20j as the dishonest agent, a powerful eavesdropper, has 
a chance to hide his eavesdropping by cheating the others. 

Almost all the QSS schemes existing can be attributed 
to one of the two types, the collective eavesdropping- 
check one and the individual eavesdropping-check one. 
The feature of the QSS schemes based on a collective 
eavesdropping check is that the procedure of the eaves- 
dropping check can be completed only when the sender 
Alice gets the cooperation of the dishonest agent. That 
is, Alice should require him to publish his outcomes of 
the measurements on the samples chosen randomly for 
checking eavesdropping. Otherwise, she and the honest 
agent cannot accomplish the task. The typical models are 
those in the Refs. [2, ,3, 4, 5, 6, 7, 8, 14, 15]. In contrast, 
in the individual eavesdropping-check QSS schemes, the 
eavesdropping check between Alice and the honest agent 



does not resort to the information published by the dis- 
honest one. In other words, Alice and the honest agent 
can analyze the error rate of their samples independent of 
the dishonest one, and determine whether the quantum 
channel between them is secure or not. Typical such QSS 
schemes are the ones presented in Refs. [a,[l3,[il|,[il[ll. 

There is a class of one-way QSS schemes whose security 
is based on entanglement and a collective eavesdropping 
check (ECEC), called them one-way ECEC QSS, such as 
those in Refs. 0, i, i, i, i, S Q [S [H, [ll [H, [H , 
including the Hillery-Buzek-Berthiaume (HBB) scheme 
3] and the Karlsson-Koashi-Imoto (KKI) scheme 0], 
and the experimental demonstrations for sharing a clas- 
sical message [13, 0, [13] or a qubit [l^. Although 
there are differences among particular schemes, almost 
all of them realized the following scenario. First, the 
sender Alice prepares two photons in an entangled state 
\£.^)bc = ^(|a>B|/3)c ± \a)B\P)c), and sends the pho- 
ton B to Bob and the photon C to Charlie (here \a) 
and \a) are the two eigenvectors of a two- level quantum 
system, so do 1/3) and ]/3)). Secondly, Bob and Char- 
lie choose at least two nonorthogonal measuring bases 
(MBs) to measure their photons independently. Thirdly, 
Alice tells Bob and Charlie which photons are chosen 
as the samples for checking eavesdropping, and then the 
three participants analyze the error rate of the samples 
collectively for determining whether the quantum chan- 
nel is secure or not. Finally, if Alice deems that the 
quantum channel is secure, she and her agents distill a 
private key from the outcomes for which Bob and Charlie 
choose two correlated MBs. Let us emphasize here two 
properties of the one-way ECEC QSS. First, the quan- 
tum systems are sent from Alice to her agents in one 
way. Second, its test eavesdropping procedure depends 
on the entanglement correlation of the quantum systems 
and the information published by all the participants. 

As the security of a QSS scheme is based on the public 
statistical analysis of the error rate of the samples chosen 
randomly by the three participants including the poten- 



2 



tially dishonest agent, it must be guaranteed against the 
dishonest agent with unhmited computing power whose 
technology is Umited only by the laws of quantum me- 
chanics 21]. Without loss of generality, we assume that 
the dishonest agent is Bob. The aim of this paper is 
to present an opaque attack scheme for Bob to obtain 
Alice's message (a classical one or a quantum one) with- 
out the cooperation of the other agent Charlie, provided 
that quantum channel losses are high enough. The su- 
periority of Bob over current technology is restricted to 
the possibility of near lossless photon transmission, the 
storage of quantum states, and the capability of prepar- 
ing and manipulating two-photon Bell state. Same as 
Ref. [i^] , our scheme considers the opportunity of eaves- 
dropping arising due to a separation of two procedures, 
namely, the eavesdropping-check procedure and the mes- 
sage sharing procedure (including the one for sharing an 
unknown quantum state). 

Now, let us elaborate the principle of the one-way 
ECEC QSS with the example of the KKI scheme 0. Al- 
ice encodes a randomly binary bit string S, selecting for 
instance two sets of states \4'~)} {|0)i and 

{!*+), 1$-)} ^ {|0'), |1')} which are defined as follows. 
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where the subscripts B and C represent the two photons 
in an entangled state, and | ± z) and | ± x) are the eigen- 
states of the z-spin (basis Z) and the x-spin (basis X), 
respectively. 
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The KKI QSS scheme works with three steps below. 

(1) Alice prepares two photons randomly in one of the 
four states !(/>"), 1^'"''), |^~)}: and sends the pho- 
ton B to Bob and the photon C to Charlie. The two 
agents Bob and Charlie locally measure their photons 
with the two bases Z and X randomly. They repeat this 
procedure for obtaining an enough large set of outcomes 
Sa for distilling their private key Ka = Kb © Kc- Here 
Ka, Kb and Kc are the keys kept by Alice, Bob and 
Charlie in secret sharing, respectively. 

(2) Bob and Charlie declare a set of outcomes for a test 
of eavesdropping first and then the measurement bases 
for all the outcomes Sa- As claimed by the authors in 
KKI QSS scheme Q, this order is very important for 
testing eavesdropping. Even they invented a refined or- 
der for their QSS scheme. That is, for the test bits, say 
Ss, the person who declared the outcome first should be 
the last to declare the basis. 



(3) After the information about the outcomes and the 
bases for the test bits have been released, Alice tells Bob 
and Charlie which of two bases the state was sent, but 
not which state. For completing the error rate analysis 
of the test bits, Alice publishes which states were sent 
for them. In this way, half of the outcomes Sa are useful 
as Bob and Charlie choose such two correlated bases for 
their measurements that they can deduce the states sent 
by Alice after she announces her bases, and the other 
outcomes will be discarded. 

In essence, the KKI scheme Q is a typical model for 
the one-way ECEC QSS. The HBB scheme is equiva- 
lent to the KKI scheme if the three participants exploit 
the refined order to declare the information for the test 
bits although the quantum information carriers are three- 
particle Greenberger-Hornc-Zcilinger states. 
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where | ±y) — ■^{\ + z) — z)). When Alice measures 
her photon A with the basis X , the two photons B and C 
are in one of the two states {|V''^), I'/'' )}; otherwise they 
are in one of the two states {j^I'''*"), if the basis Y 

is chosen by Alice. Here the two bases of an entangled 
photon pair BC are defined as 
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It is obvious that these two bases can be transformed 
into each other by the transformations \ — x)c | + y)c 
and I -I- a;)c ^ \ — y)c, as same as the KKI scheme [31 
in which \ — z)c ^ \ + x)c and \ + z)c *^ \ — x)c- It is 
not difficult to prove that the other one-way ECEC QSS 
schemes [l, [^, Q are equivalent to the KKI scheme with 
or without a little of modification. 

Our opaque attack scheme on the KKI scheme includes 
two procedures, the one for checking eavesdropping and 
the one for generating a private key (or for sharing quan- 
tum information). Let us first describe the attack on 
eavesdropping check. It includes the following two steps. 

(a) The dishonest agent Bob first intercepts the pho- 
ton C sent from Alice to Charlie, and replaces it with 
a fake photon C which is one particle in the Bell state 
\(I)^)b'C' = M\ + z)b'\ + z)c' + I - z)b'\ - z)c') pre- 



pared by Bob himself. Moreover, he uses a near lossless 
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quantum channel to receive the photons B and C sent 
from Alice, and stores them with a quantum memory. 

(b) When and only when Bob gets the information that 
the photon B is chosen as the sample for detecting eaves- 
dropping, he performs a Bell-state measurement on the 
photons C and B' . If he obtains the result \(j)^)B'C = 
^(1 + z)b'\+ z)c + \ - z)b'\ - z)c), Bob measures the 
photon B with the basis Z or the basis X, the same as 
that in the original KKI scheme, and announces the out- 
come of the single-photon measurement. If Bob gets the 
result |V'")b'c = ^(| + z)b'\ - z)c-\- z)b'\ + z)c), 
he first takes the operation iay — \ + z){—z\ — \ — z){+z\ 
on the photon B and then manipulates it as same as the 
case with the result b'c- If he gets the other two Bell 
states \(I)~)b'C = -^{\ + z) b'\ + z)c - \- z) b'\ - z)c) and 

|V'+)b'C = ^Tjd + z)b'\ ~z)c + \~ z)b'\ + z)c), he de- 
clares he did not receive that particular bit. As he knows 
the fact that his eavesdropping will introduce errors in 
the outcomes when Bob obtains |0~)b'C or b'c, his 
cheating will erase the errors in the test bits. Of course, 
Bob's cheating will in principle induce 50% losses of the 
outcomes in an ideal condition. 

Suppose that the honest agent Charlie obtains the out- 
come \Rc') = a\ + z) + b\ — z) when he measures the 
photon C" with the basis Z or X. The photon B' will 
collapse to the state \Rb') = \Rc') as well. After the 
Bell-state measurement was done by Bob on the photons 
B'C and the result |0^)_b'c was obtained, the photon B 
will collapse to the the states (without being normalized) 
a\+z)-b\-z),a\-z)+b\+z), {a-b)\+z)-ia+b)\+z) , and 
{a + b)\+z) + {a — b)\~z) when the entangled photon pair 
BC is prepared by Ahce in the states \(j)~)BC: \''P'^)bC: 
\^~)bc, and |^'+)_bcj respectively. Table I shows the 
states obtained by the three participants when Bob uses 
our opaque attack scheme and obtains the result \<t)'^)B'c- 
Alice's states are given in the columns and Charlie's out- 
comes are given in the rows. Bob's states before he mea- 
sures the photon B with a correlated basis appear in the 
boxes. They are the same as those in the original KKI 
QSS scheme. The difference between the results \4>'^)b'C 
and |'0~)b'C is just the unitary operation iay. That is 
to say, Bob's attack will introduce no error in the test 
bits for detecting eavesdropping if he obtains the result 
\4'^)b'C or \ijj~)B'C no matter what the state of the orig- 
inal two photons B and C prepared by Alice is and the 
bases chosen by the two agents for their photons. If he 
gets the other two Bell states, which takes place with 
the probability 50%, he will introduce about 50% error 
rate in the test bits, but he can hide these errors with 
cheating. That is, for these outcomes, he tells Alice and 
Charlie that he gets nothing when he measures the pho- 
ton B because of the quantum channel losses. So Alice 
and Charlie cannot detect this eavesdropping if the losses 
aroused by the quantum channel is more than 50% no 
matter what the order of the information published do 
the three participants choose, not the case claimed in the 
original KKI QSS scheme. 



TABLE I: The states obtained by the three participants Alice, 
Charlie and Bob. 
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For the other instances used for creating a private key 
(not for checking eavesdropping). Bob need only perform 
a Bell-state measurement on the two photons B and C 
after Alice announces their basis, and then he can get 
all the information about Alice's key Ka. On the other 
hand, in the period of declaring bases for the key bits. 
Bob can announce a fake information about the sequence 
of the bases Z and X, and then measure the photon B' 
with the same basis as chosen by Charlie and obtain the 
key Kc after Charlie publishes her bases for the out- 
comes. In this way, the eavesdropping done by Bob can- 
not be detected. 

So far, we have presented our opaque attack scheme 
for the dishonest agent to eavesdrop the one-way ECEC 
QSS fully and freely with the typical model, the KKI QSS 
scheme \^. This attack scheme works for other one-way 
ECEC QSS schemes 0, Q, 0, 0, 0, S, Ul, UR, B \M, 
including those for sharing an unknown quantum state 

U, U2, S m, with or without a little of modifica- 
tion as Bob only measures the photons used for the test 
bits, not for message before he gets all other information 
published by Alice and Charlie. Bob does not introduce 
errors in the test bits but only produces losses. The losses 
induced by Bob can be, however, hidden in the channel 
losses. Same as Ref. [221, ^s suppose that Alice and 
her agents use an original quantum channel with a to- 
tal transmission efficiency rj not exceeding 50%. Typical 
values of rj for long-distance experimental quantum com- 
munication well fit this range [23.[23|. For eavesdropping. 
Bob replaces the original quantum channel by a better 
one with the transmission efficiency 77'. The probability 
Pe that Bob can eavesdrop the one-way ECEC QSS freely 
with this opaque cheating attack scheme is Pe = ^^''^7'''' 
when 77' < 2ri; otherwise, P^ — 100%. In order to keep 
the transmission efficiency rj between Alice and Charlie, 
Bob should filter out (1 -t?) x 100% of the fake photon C 
reaching Charlie. In this way the information about the 
eavesdropping is completely erased from the outcomes 
obtained by Charlie in the detecting eavesdropping pro- 
cedure and the message sharing procedure. This means 
that Bob can eavesdrop fully and freely the information 
in the one-way ECEC QSS if he replaces the original 
quantum channel with a better quantum channel whose 
total transmission efficiency is double of that of original 
one and controls the balance of transmission efficiencies. 

Let us now consider how to improve the one-way ECEC 
QSS to make it secure. Its insecurity over a lossy quan- 
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turn channel in principle arises from two factors. One is 
that the dishonest agent Bob always controls a photon 
which is entangled with the other one received by the 
honest agent before the participants do their eavesdrop- 
ping check. The other one is that the test eavesdropping 
procedure is a collective one, i.e., dependent on the infor- 
mation published by the dishonest agent. The first fac- 
tor gives Bob the chance that he can obtain a correlated 
outcome with a certain probability in the eavesdropping 
check procedure and also get correctly all the information 
obtained by all the participants subsequently (especially 
in the case for sharing an unknown quantum state) . The 
second factor provides Bob the tools to erase the errors 
produced by his attack in the test eavesdropping proce- 
dure. For improving the security of one-way ECEC QSS, 
the boss Alice can disentangle the two photons sent from 
her to her two agents for the outcomes in the test bits. 
In this way, the eavesdropping check procedures between 
Alice and Bob, and Alice and Charlie are as same as the 
Bennett-Brassard 1984 (BB84) QKD scheme [2I which 
is proven secure for generating a private key [25j . We 
should confess that the modified one-way ECEC QSS for 
sharing a private key, to some extent, is not better than 
two BB84 QKD processes as the latter provides a simple 
way for three participants to share a private key effi- 
ciently without resorting to entanglement at the expense 
of exchanging a little more classical information. As for 
the one-way ECEC QSS for sharing an unknown quan- 
tum state, the two photons prepared by the boss Alice 
and sent to her two agents for checking eavesdropping 
should be in a product state. 

In conclusion, we have presented an undetectable 
opaque cheat attack scheme for the dishonest agent in 
one-way ECEC QSS to eavesdrop the outcomes obtained 
by the other agent. This scheme works on the realis- 
tic implementation of one-way ECEC QSS if the quan- 



tum channel losses cannot be ignored. The dishonest 
agent first intercepts the photons sent from the sender 
and stores them. He sends the other agent a fake pho- 
ton in a Bell state and exploits the quantum losses to 
hide his action when the fake photon is chosen for de- 
tecting eavesdropping. As he can control the efhciency 
of transmission, he can eavesdrop the QSS freely. Obvi- 
ously, this attack is efhcient in the case there are more 
than two agents in a QSS scheme with a little modifica- 
tion as well. We also suggest a general way for improving 
the security of one-way ECEC QSS. It works especially 
when the QSS schemes are used to share an unknown 
quantum state. 

This work is supported by the National Natural Sci- 
ence Foundation of China under Grant Nos. 10604008 
and 10435020, and Beijing Education Committee under 
Grant No. XK100270454. 

Note added- The anonymous referee thinks that 
there is no security loophole in one-way ECEC QSS 
schemes if a standard key sifting procedure, in which 
the events where no photon was detected are removed 
before the participants perform the common eavesdrop- 
ping check, is performed. This is true when the QSS 
schemes are used for sharing a classical information be- 
cause all the participants measured all the particles in- 
cluding those used for distilling a private key, which will 
give no chance for the dishonest agent to get the out- 
comes obtained by the other agent perfectly. However, 
this way does not work when the QSS schemes are used 
for sharing an unknown quantum state as the dishon- 
est agent need not measure the particles for sharing the 
unknown quantum state (he need only measure the parti- 
cles used for checking eavesdropping), which means that 
they are insecure in this time even though the partici- 
pants exploit a standard key sifting procedure to check 
eavesdropping. 
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